First published: Fri Feb 09 2024(Updated: )
### Impact This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. ### Patches The identified vulnerability has been remedied in fix #2509 and will be included in versions released after 2.1.3. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. ### Workarounds A temporary workaround involves filtering underscores before incorporating user input into the message template. ### References - [Pull Request #2509](https://github.com/nonebot/nonebot2/pull/2509) - [CWE-1336](https://cwe.mitre.org/data/definitions/1336.html)
Affected Software | Affected Version | How to fix |
---|---|---|
pip/nonebot2 | >=2.0.0a16<=2.1.3 | 2.2.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.